Call Issued for Further Guidance on HIPAA Minimum Necessary Standard

Melissa Martin, Board President for the American Health Information Management Association (AHIMA) gave a testimony at a National Committee on Vital and Health Statistics (NCVHS) hearing last week on the minimum necessary standard of the HIPAA Privacy Rule.

The aim of the hearing was to determine whether the Department of Health and Human Services should issue an update to the standard to ensure it can continue to be met by healthcare organizations, and to assess whether there is a need for further guidance in light of the technology changes in the healthcare industry since its introduction.

According to Martin’s testimony, there is still considerable confusion over the standard and what constitutes the “minimum necessary information”.

Under the minimum necessary standard, HIPAA -covered entities are required to make reasonable efforts to ensure that access to PHI is limited to the minimum necessary information to accomplish the intended purpose of the use, disclosure or request.

Organizations must identify individuals or groups of persons within the organization who are required to be given access to PHI, and limit the categories of PHI that those individuals or groups are permitted to access. For instance, organizations should not permit an entire medical record to be accessed or disclosed unless they can justify that access to the entire record is necessary. The same applies to business associates. If business associates are contracted to perform a specific healthcare operation, they should be provided with the minimum necessary information for that operation to be performed.

Martin said at the hearing that the definition of the standard needs to be clarified and that this should be addressed in future HHS guidance. At present, covered entities are permitted to decide what the minimum necessary information is. Interpretation of the standard is therefore inconsistent. Martin said that this could potentially lead to litigation if patients or their legal representatives disagreed with a healthcare organization’s interpretation of the standard.

Martin also said there were now technology challenges that must be considered, pointing out that “as technology continues to advance, so too will the technological challenges associated with complying with the minimum necessary standard.” One technology challenge concerns EHR systems. The systems do allow access to PHI to be controlled, but Martin pointed out that EHR systems often “lack the sophistication to sequester patients by assigned employees.” She went on to explain, “this often leads to approval for “any and all” access rather than imposing certain access restrictions on the PHI.”

There are also a number of regulatory challenges. Martin explained that various initiatives such as the Qualified Entity Program under Medicare and the Precision Medicine Initiative, which encourage the sharing of data, have resulted in the sharing of an increasing amount of PHI. As we move toward a fully interoperable healthcare system, the concept of the minimum necessary standard is now being applied to fewer transactions.

Prior to the hearing, AHIMA conducted a survey of its members who worked in privacy and security, data analytics, clinical documentation improvement, and education. 38% were unsure if a definition for the minimum standard had been adopted and 14% of respondents said they did not have a definition for the minimum standard. 21% were in the process of developing a definition. One third or respondents said they had no policies and procedures relating to the minimum standard.

Martin made a number of recommendations at the hearing:

The HHS should develop a clearer definition of the minimum necessary standard

The role of metadata in the minimum necessary standard must be considered in future guidance

The limitations of technology should be considered and addressed in future guidance

It is necessary to enhance focus on patients’ needs and consider the role of the steward when developing guidance

There is a need to improve standardization of the implementation of the minimum necessary standard to ensure that patients have clear expectations of the PHI that will be disclosed or used to perform particular functions

The HHS should supply educational materials along with future guidance. FAQs and fact sheets would be useful in this regard to help healthcare organizations educate staff on any changes to the standard.

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.